From 93c57ca5ab676437965524316a6bf935e39fc51c Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Fri, 28 Oct 2016 11:11:49 +0200
Subject: [PATCH] api: fix access permissions (#13785)

---
 corbo/settings.py |  7 +++++++
 tests/test_api.py | 35 ++++++++++++++++++++++++++---------
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/corbo/settings.py b/corbo/settings.py
index 00c4d89..38eeadf 100644
--- a/corbo/settings.py
+++ b/corbo/settings.py
@@ -154,6 +154,13 @@ MELLON_USERNAME_TEMPLATE = '{attributes[name_id_content]}'
 
 MELLON_IDENTITY_PROVIDERS = []
 
+if 'REST_FRAMEWORK' not in globals():
+    REST_FRAMEWORK = {}
+
+REST_FRAMEWORK['DEFAULT_PERMISSION_CLASSES'] = (
+    'rest_framework.permissions.IsAuthenticated',
+)
+
 # default site
 SITE_BASE_URL = 'http://localhost'
 
diff --git a/tests/test_api.py b/tests/test_api.py
index 9b4d7b7..c6bb505 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -5,6 +5,7 @@ from uuid import uuid4
 
 from django.core.urlresolvers import reverse
 from django.utils.http import urlencode
+from django.contrib.auth import get_user_model
 
 from corbo.models import Category, Announce, Broadcast, Subscription
 from corbo.models import channel_choices
@@ -34,9 +35,20 @@ def announces():
         announces.append(a)
     return announces
 
-
-def test_get_newsletters(app, categories, announces):
-    resp = app.get(reverse('newsletters'), status=200)
+@pytest.fixture
+def user():
+    User = get_user_model()
+    user = User.objects.create(username='john.doe',
+            first_name=u'John', last_name=u'Doe', email='john.doe@example.net')
+    user.set_password('password')
+    user.save()
+    return user
+
+
+def test_get_newsletters(app, categories, announces, user):
+    resp = app.get(reverse('newsletters'), status=403)
+    app.authorization = ('Basic', ('john.doe', 'password'))
+    resp = app.get(reverse('newsletters'))
     data = resp.json
     assert data['data']
     for category in data['data']:
@@ -47,15 +59,17 @@ def test_get_newsletters(app, categories, announces):
         assert category['transports'] == [{'id': 'mailto', 'text': 'Email'}]
 
 
-def test_get_subscriptions_by_email(app, categories, announces):
+def test_get_subscriptions_by_email(app, categories, announces, user):
     resp = app.get(reverse('subscriptions'), status=403)
     foo = 'foo@example.com'
+    resp = app.get(reverse('subscriptions'), {'email': foo}, status=403)
+    app.authorization = ('Basic', ('john.doe', 'password'))
     for identifier, name in channel_choices[:1]:
         for category in categories:
             uri = '%s:%s' % (identifier, foo)
             subscription = Subscription.objects.create(identifier=uri,
                                 category=category)
-            resp = app.get(reverse('subscriptions'), {'email': foo}, status=200)
+            resp = app.get(reverse('subscriptions'), {'email': foo})
             assert 'data' in resp.json
             data = resp.json['data']
             for d in data:
@@ -65,9 +79,10 @@ def test_get_subscriptions_by_email(app, categories, announces):
                     assert t['id'] == identifier
 
 
-def test_update_subscriptions(app, categories, announces):
+def test_update_subscriptions(app, categories, announces, user):
     params = urlencode({'email': 'foo@example.com',
                         'uuid': str(uuid4())})
+    app.authorization = ('Basic', ('john.doe', 'password'))
     subscriptions_url = reverse('subscriptions') + '?' + params
     for category in categories:
         transports = []
@@ -79,7 +94,7 @@ def test_update_subscriptions(app, categories, announces):
                               'transports': transports}]
             resp = app.post_json(subscriptions_url , subscriptions)
             if resp.json['data']:
-                resp = app.get(subscriptions_url, status=200)
+                resp = app.get(subscriptions_url)
                 print resp.json['data']
                 for cat in resp.json['data']:
                     if cat['id'] == category_id:
@@ -87,10 +102,12 @@ def test_update_subscriptions(app, categories, announces):
                         assert sub_transports == transports
 
 
-def test_delete_subscriptions(app, categories, announces):
+def test_delete_subscriptions(app, categories, announces, user):
     params = urlencode({'email': 'foo@example.com', 'uuid': str(uuid4())})
     subscriptions_url = reverse('subscriptions') + '?' + params
+    resp = app.delete(subscriptions_url, status=403)
+    app.authorization = ('Basic', ('john.doe', 'password'))
     resp = app.delete(subscriptions_url)
     if resp.json['data']:
-        resp = app.get(subscriptions_url, status=200)
+        resp = app.get(subscriptions_url)
         assert resp.json['data'] == []
-- 
2.10.1